[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please disable the SELinux execstack/relro checks before FC5 final

Arjan van de Ven wrote:
> right now I fear the only sane answer is "set all to permissive
> behavior"; the minimum for fc5 would be everything that can do plugins
> of any kind, or uses libraries that tend to get replaced (3D ones ;).
> But that ends up being a whole whopping lot...

I'm not so sure.

The most crappy software are all those mozilla/firefox/thunderbird
plugins.  So, yes, we might need more time for that although I'd rather
prefer to have a separate domain for those programs.

The NVidia driver also needs an executable stack but nothing else.

What I have not seen are programs which have their own domain and still
need any of the booleans set.  Somebody should show real evidence that
any of those domains need the permission checks disable.

If we cannot move the moz/ffox/tbird into their own domain then, yes,
disable the checks for unconfined processes.  But we should keep the
tests for all programs which have their own domain.

➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]